Changeset 143415 in webkit

Timestamp:

Feb 19, 2013 5:20:48 PM (11 years ago)

Author:

tonyg@chromium.org

Message:

Fix crash in preloading scanning base tags with no href attribute for background parser
​https://bugs.webkit.org/show_bug.cgi?id=110276

Reviewed by Eric Seidel.

Previously a <base> tag without an href attribute (like the one in fast/dom/HTMLAnchorElement/set-href-attribute-rebase.html)
would crash the background parser's preload scanner.

To fix that, we only call stripLeadingAndTrailingHTMLSpaces() if the href attribute is non-null. This matches the main thread parser.

Along with this, I decided to templatize updatePredictedBaseURL() so that the main and background parser can share the same impl.

This required making CompactHTMLToken and HTMLToken a little more similar:

1. Give HTMLToken a getAttributeItem() method.
2. Move CompactAttribute to CompactHTMLToken::Attribute and make it a struct.

No new tests because covered by existing tests.

• html/parser/AtomicHTMLToken.h:

(WebCore::AtomicHTMLToken::AtomicHTMLToken):

• html/parser/CompactHTMLToken.cpp:

(SameSizeAsCompactHTMLToken):
(WebCore::CompactHTMLToken::CompactHTMLToken):
(WebCore::CompactHTMLToken::getAttributeItem):
(WebCore::CompactHTMLToken::isSafeToSendToAnotherThread):

• html/parser/CompactHTMLToken.h:

(WebCore::CompactHTMLToken::Attribute::Attribute):
(Attribute):
(WebCore::CompactHTMLToken::attributes):
(CompactHTMLToken):
(WebCore::CompactHTMLToken::publicIdentifier):
(WebCore::CompactHTMLToken::systemIdentifier):

• html/parser/HTMLParserIdioms.h:

(WebCore):
(WebCore::stripLeadingAndTrailingHTMLSpaces):

• html/parser/HTMLPreloadScanner.cpp:

(WebCore::TokenPreloadScanner::StartTagScanner::processAttributes):
(WebCore):
(WebCore::TokenPreloadScanner::updatePredictedBaseURL):

• html/parser/HTMLPreloadScanner.h:
• html/parser/HTMLToken.h:

(WebCore::HTMLToken::getAttributeItem):
(HTMLToken):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/parser/AtomicHTMLToken.h (modified) (1 diff)
• html/parser/CompactHTMLToken.cpp (modified) (5 diffs)
• html/parser/CompactHTMLToken.h (modified) (3 diffs)
• html/parser/HTMLParserIdioms.h (modified) (2 diffs)
• html/parser/HTMLPreloadScanner.cpp (modified) (2 diffs)
• html/parser/HTMLPreloadScanner.h (modified) (1 diff)
• html/parser/HTMLToken.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-19  Tony Gentilcore  <tonyg@chromium.org>
+
+        Fix crash in preloading scanning base tags with no href attribute for background parser
+        https://bugs.webkit.org/show_bug.cgi?id=110276
+
+        Reviewed by Eric Seidel.
+
+        Previously a <base> tag without an href attribute (like the one in fast/dom/HTMLAnchorElement/set-href-attribute-rebase.html)
+        would crash the background parser's preload scanner.
+
+        To fix that, we only call stripLeadingAndTrailingHTMLSpaces() if the href attribute is non-null. This matches the main thread parser.
+
+        Along with this, I decided to templatize updatePredictedBaseURL() so that the main and background parser can share the same impl.
+
+        This required making CompactHTMLToken and HTMLToken a little more similar:
+        1. Give HTMLToken a getAttributeItem() method.
+        2. Move CompactAttribute to CompactHTMLToken::Attribute and make it a struct.
+
+        No new tests because covered by existing tests.
+
+        * html/parser/AtomicHTMLToken.h:
+        (WebCore::AtomicHTMLToken::AtomicHTMLToken):
+        * html/parser/CompactHTMLToken.cpp:
+        (SameSizeAsCompactHTMLToken):
+        (WebCore::CompactHTMLToken::CompactHTMLToken):
+        (WebCore::CompactHTMLToken::getAttributeItem):
+        (WebCore::CompactHTMLToken::isSafeToSendToAnotherThread):
+        * html/parser/CompactHTMLToken.h:
+        (WebCore::CompactHTMLToken::Attribute::Attribute):
+        (Attribute):
+        (WebCore::CompactHTMLToken::attributes):
+        (CompactHTMLToken):
+        (WebCore::CompactHTMLToken::publicIdentifier):
+        (WebCore::CompactHTMLToken::systemIdentifier):
+        * html/parser/HTMLParserIdioms.h:
+        (WebCore):
+        (WebCore::stripLeadingAndTrailingHTMLSpaces):
+        * html/parser/HTMLPreloadScanner.cpp:
+        (WebCore::TokenPreloadScanner::StartTagScanner::processAttributes):
+        (WebCore):
+        (WebCore::TokenPreloadScanner::updatePredictedBaseURL):
+        * html/parser/HTMLPreloadScanner.h:
+        * html/parser/HTMLToken.h:
+        (WebCore::HTMLToken::getAttributeItem):
+        (HTMLToken):
+
 2013-02-19  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/WebCore/html/parser/AtomicHTMLToken.h

@@ -202 +202 @@
         case HTMLToken::StartTag:
             m_attributes.reserveInitialCapacity(token.attributes().size());
-            for (Vector<CompactAttribute>::const_iterator it = token.attributes().begin(); it != token.attributes().end(); ++it)
-                m_attributes.append(Attribute(QualifiedName(nullAtom, it->name(), nullAtom), it->value()));
+            for (Vector<CompactHTMLToken::Attribute>::const_iterator it = token.attributes().begin(); it != token.attributes().end(); ++it)
+                m_attributes.append(Attribute(QualifiedName(nullAtom, it->name, nullAtom), it->value));
             // Fall through!
         case HTMLToken::EndTag:

trunk/Source/WebCore/html/parser/CompactHTMLToken.cpp

@@ -40 +40 @@
     unsigned bitfields;
     String name;
-    Vector<CompactAttribute> vector;
+    Vector<Attribute> vector;
     TextPosition textPosition;
     OwnPtr<XSSInfo> xssInfo;
@@ -61 +61 @@
         // There is only 1 DOCTYPE token per document, so to avoid increasing the
         // size of CompactHTMLToken, we just use the m_attributes vector.
-        m_attributes.append(CompactAttribute(String(token->publicIdentifier()), String(token->systemIdentifier())));
+        m_attributes.append(Attribute(String(token->publicIdentifier()), String(token->systemIdentifier())));
         m_doctypeForcesQuirks = token->forceQuirks();
         break;
@@ -71 +71 @@
         // FIXME: Attribute names and values should be 8bit when possible.
         for (Vector<HTMLToken::Attribute>::const_iterator it = token->attributes().begin(); it != token->attributes().end(); ++it)
-            m_attributes.append(CompactAttribute(String(it->name), String(it->value)));
+            m_attributes.append(Attribute(String(it->name), String(it->value)));
         // Fall through!
     case HTMLToken::EndTag:
@@ -103 +103 @@
 }
 
-const CompactAttribute* CompactHTMLToken::getAttributeItem(const QualifiedName& name) const
+const CompactHTMLToken::Attribute* CompactHTMLToken::getAttributeItem(const QualifiedName& name) const
 {
     for (unsigned i = 0; i < m_attributes.size(); ++i) {
-        if (threadSafeMatch(m_attributes.at(i).name(), name))
+        if (threadSafeMatch(m_attributes.at(i).name, name))
             return &m_attributes.at(i);
     }
@@ -114 +114 @@
 bool CompactHTMLToken::isSafeToSendToAnotherThread() const
 {
-    for (Vector<CompactAttribute>::const_iterator it = m_attributes.begin(); it != m_attributes.end(); ++it) {
-        if (!it->name().isSafeToSendToAnotherThread())
+    for (Vector<Attribute>::const_iterator it = m_attributes.begin(); it != m_attributes.end(); ++it) {
+        if (!it->name.isSafeToSendToAnotherThread())
             return false;
-        if (!it->value().isSafeToSendToAnotherThread())
+        if (!it->value.isSafeToSendToAnotherThread())
             return false;
     }

trunk/Source/WebCore/html/parser/CompactHTMLToken.h

@@ -43 +43 @@
 class XSSInfo;
 
-class CompactAttribute {
-public:
-    CompactAttribute(const String& name, const String& value)
-        : m_name(name)
-        , m_value(value)
-    {
-    }
-
-    const String& name() const { return m_name; }
-    const String& value() const { return m_value; }
-
-private:
-    String m_name;
-    String m_value;
-};
-
 class CompactHTMLToken {
 public:
+    struct Attribute {
+        Attribute(const String& name, const String& value)
+            : name(name)
+            , value(value)
+        {
+        }
+
+        String name;
+        String value;
+    };
+
     CompactHTMLToken(const HTMLToken*, const TextPosition&);
     CompactHTMLToken(const CompactHTMLToken&);
@@ -70 +65 @@
     bool selfClosing() const { return m_selfClosing; }
     bool isAll8BitData() const { return m_isAll8BitData; }
-    const Vector<CompactAttribute>& attributes() const { return m_attributes; }
-    const CompactAttribute* getAttributeItem(const QualifiedName&) const;
+    const Vector<Attribute>& attributes() const { return m_attributes; }
+    const Attribute* getAttributeItem(const QualifiedName&) const;
     const TextPosition& textPosition() const { return m_textPosition; }
 
     // There is only 1 DOCTYPE token per document, so to avoid increasing the
     // size of CompactHTMLToken, we just use the m_attributes vector.
-    const String& publicIdentifier() const { return m_attributes[0].name(); }
-    const String& systemIdentifier() const { return m_attributes[0].value(); }
+    const String& publicIdentifier() const { return m_attributes[0].name; }
+    const String& systemIdentifier() const { return m_attributes[0].value; }
     bool doctypeForcesQuirks() const { return m_doctypeForcesQuirks; }
     XSSInfo* xssInfo() const;
@@ -89 +84 @@
 
     String m_data; // "name", "characters", or "data" depending on m_type
-    Vector<CompactAttribute> m_attributes;
+    Vector<Attribute> m_attributes;
     TextPosition m_textPosition;
     OwnPtr<XSSInfo> m_xssInfo;

trunk/Source/WebCore/html/parser/HTMLParserIdioms.h

@@ -27 +27 @@
 
 #include <wtf/Forward.h>
+#include <wtf/text/WTFString.h>
 #include <wtf/unicode/Unicode.h>
 
@@ -41 +42 @@
 // Strip leading and trailing whitespace as defined by the HTML specification. 
 String stripLeadingAndTrailingHTMLSpaces(const String&);
+template<size_t inlineCapacity>
+String stripLeadingAndTrailingHTMLSpaces(const Vector<UChar, inlineCapacity>& vector)
+{
+    return stripLeadingAndTrailingHTMLSpaces(StringImpl::create8BitIfPossible(vector));
+}
 
 // An implementation of the HTML specification's algorithm to convert a number to a string for number and range types.

trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp

@@ -128 +128 @@
 
 #if ENABLE(THREADED_HTML_PARSER)
-    void processAttributes(const Vector<CompactAttribute>& attributes)
+    void processAttributes(const Vector<CompactHTMLToken::Attribute>& attributes)
     {
         if (m_tagId >= UnknownTagId)
             return;
-        for (Vector<CompactAttribute>::const_iterator iter = attributes.begin(); iter != attributes.end(); ++iter)
-            processAttribute(iter->name(), iter->value());
+        for (Vector<CompactHTMLToken::Attribute>::const_iterator iter = attributes.begin(); iter != attributes.end(); ++iter)
+            processAttribute(iter->name, iter->value);
     }
 #endif
@@ -338 +338 @@
 }
 
-void TokenPreloadScanner::updatePredictedBaseURL(const HTMLToken& token)
+template<typename Token>
+void TokenPreloadScanner::updatePredictedBaseURL(const Token& token)
 {
     ASSERT(m_predictedBaseElementURL.isEmpty());
-    for (HTMLToken::AttributeList::const_iterator iter = token.attributes().begin(); iter != token.attributes().end(); ++iter) {
-        AtomicString attributeName(iter->name);
-        if (attributeName == hrefAttr) {
-            String hrefValue = StringImpl::create8BitIfPossible(iter->value);
-            m_predictedBaseElementURL = KURL(m_documentURL, stripLeadingAndTrailingHTMLSpaces(hrefValue));
-            break;
-        }
-    }
-}
-
-#if ENABLE(THREADED_HTML_PARSER)
-void TokenPreloadScanner::updatePredictedBaseURL(const CompactHTMLToken& token)
-{
-    ASSERT(m_predictedBaseElementURL.isEmpty());
-    m_predictedBaseElementURL = KURL(m_documentURL, stripLeadingAndTrailingHTMLSpaces(token.getAttributeItem(hrefAttr)->value())).copy();
-}
-#endif
+    if (const typename Token::Attribute* hrefAttribute = token.getAttributeItem(hrefAttr))
+        m_predictedBaseElementURL = KURL(m_documentURL, stripLeadingAndTrailingHTMLSpaces(hrefAttribute->value)).copy();
+}
 
 HTMLPreloadScanner::HTMLPreloadScanner(const HTMLParserOptions& options, const KURL& documentURL)

trunk/Source/WebCore/html/parser/HTMLPreloadScanner.h

@@ -83 +83 @@
     static String initiatorFor(TagId);
 
-    void updatePredictedBaseURL(const HTMLToken&);
-#if ENABLE(THREADED_HTML_PARSER)
-    void updatePredictedBaseURL(const CompactHTMLToken&);
-#endif
+    template<typename Token>
+    void updatePredictedBaseURL(const Token&);
 
     CSSPreloadScanner m_cssScanner;

trunk/Source/WebCore/html/parser/HTMLToken.h

@@ -359 +359 @@
     }
 
+    const Attribute* getAttributeItem(const QualifiedName& name) const
+    {
+        for (unsigned i = 0; i < m_attributes.size(); ++i) {
+            if (AtomicString(m_attributes.at(i).name) == name.localName())
+                return &m_attributes.at(i);
+        }
+        return 0;
+    }
+
     // Used by the XSSAuditor to nuke XSS-laden attributes.
     void eraseValueOfAttribute(size_t i)